Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 02/04/08 issue

Taking control of IPv6

IPv6: FAQ

By William Jackson

Story Tools:

  • Purchase a Reprint
  • Link to this page
What is IPv6?

IPv6, or Internet Protocol version 6, is the “next generation” version of IPv4, the venerable networking standard that has increasingly driven the Internet since 1980. It’s the true follow-on to IPv4 since IPv5 was nominally the designation for The Internet Stream Protocol that was first suggested in the late 1970s for experimental transmission of voice, video and distributed simulation.

Technically, IPv6 differs mainly by using a 128-bit address space, four times that of IPv4. Other differences are allowance for universal plug and play, support for multiple forms of multicast and for anycast, inherent use of IPsec security protocols, and significantly better scalability.

What ever happened to IPv5?

What does IPv6 mean for address space?

Though the IPv6 address space is only four times that of IPv4, it means the number of available unique IPv6 Internet addresses — which define where systems and devices are on the network and how data packets get from one place to another — totals 3.4 x 1038 (or 10 to the 38th power).

The 4 billion addresses available under IPv4 could be completely consumed in the next several years. With IPv6, however, each person on Earth could theoretically have 50 octillion, or 5 x 1028, unique addresses.

Exactly how many addresses are actually available is open to interpretation, however, since the first 64 bits of the 128-bit address space is reserved for network routing.

The Defense Department, for example, has acquired a /16 (slash 16) Block address. That means 16 of the leftover bits go for externally reachable routing, and the other 48 bits for subnets, though each subnet can have its own 64-bit address space. The DOD’s /16 gives it “just” 281 trillion network addresses and, theoretically, 18.45 quintillion (18.45 x 1018) host addresses.

Bitten by IPv6

What can IPv6 do for you?

IPv6 allows for end-to-end connectivity across the network, much greater mobility for network users and auto configuration of all IPv6-enabled devices connected to the network.

The DOD’s vision of the networked warrior and its goals for net-centric warfare, for example, would not be possible without IPv6.

The protocol’s use of longer addresses and optimized message headers will also allow users to specify just what function a device plays on the network, allowing for different quality-of-service for certain kinds of traffic and so boosting the operation of services such as voice over IP and videoconferencing.

IPv6 adoption probably won’t be driven by particular applications, though the overall move to converged, handheld devices and the increasing needs of mobile computing should be major incentives for the increased use of IPv6.

That said, IPv6 should spawn some petty nifty apps. The peer-to-peer networking possible with IPv6, without the need for servers in between, could rewrite the notion of networked collaboration, for example. It should also provide for tighter control of networked devices.

It will also mean lighter weight applications, and the chance to eliminate some of the network hardware that now performs some of the functions that will be included in these new applications.

Ask not what you can do for IPv6, but rather what IPv6 can do for you

A new kind of protocol

The means to end-to-end

How does IPv6 do for security?

In the short-term, as agencies are transitioning to IPv6, security might be of more concern since a dual stack approach – having both IPv4 and IPv6 active on the network at the same time – will likely be the preferred approach, and the appropriate security for each version of the protocol has to be managed.

Tunneling, as a way to encapsulate IPv6 packets for transport across an IPv4 network, is already popular as a relatively cheap way to provide dual IPv4/IPv6 capability, but it also introduces security issues. Unknown tunnels could be opened, which introduces a security risk, so policies have to be developed to determine who can use tunneling, and for what purpose.

That said, IPsec is included in IPv6 as the default security scheme. As it operates at the network layer of the protocol stack it is independent of the applications and services that run over the network, and so is considered more flexible than other popular security such as SSL. It also provides for data encryption.

If IPsec is turned on, IPv6 capable security devices such as firewalls and intrusion detection systems will automatically configure themselves with an IPv6 address.

IPv6 security: The forgotten element

Hackers are ready for IPv6—are you?

When will IPv6 arrive?

To some extent it’s already here. Microsoft’s Windows Vista operating system is IPv6 enabled by default, other operating systems support IPv6, and more and more devices are IPv6 capable. Telecom companies’ backbone networks are all IPv6 ready, and some of those are carrying IPv6 traffic now.

However, there were very few active IPv6 nodes on the Internet at the beginning of 2008. There are not many applications that require it and until there is, or until the number of IPv4 addresses wilts completely, both private companies and government agencies have little incentive to turn to IPv6 for their networking needs.

Federal government agencies have until June of 2008 to make sure their backbone networks are capable of carrying IPv6 traffic, but that doesn’t mean they will have to at that time.

Getting ready for IPv6? It’s already here

How does IPv6 affect you now?

The Office of Management and Budget said in 2005 it would require federal agency networks to be IPv6 capable by June 2008. At the time only the Defense Department had made serious efforts to prepare for IPv6, according to a Government Accountability Office report, and most others had not inventoried IPv6 software and equipment, or had developed business cases or cost estimates.

By the end of 2007, most agencies were seen as having made some progress toward IPv6, though the level of progress differed widely. Some were well into implementing their plans and had begun the move, some were still considering the best way to make the transition.

Where practical, OMB requires agencies to only buy equipment and software that is IPv6 compliant. A written waiver is required for any other procurement. Where it isn’t compliant, it has to be adapted for IPv6 by the June 2008 deadline.

Federal standards agencies are generally well advanced in developing the necessary guidance for agencies making the move to IPv6. Early in 2008 the National Institute of Standards and Technology released its latest draft of proposed standards for IPv6 networking and security products. The National Security Agency in 2007 started development of software to make sure IPv6 was secure enough to be used on classified networks.

Both the DOD and intelligence agencies are planning to move at least their classified networks to IPv6 by 2010.

The answer is: “IPv.what?”

NSA ponies up to secure IPv6

Latest draft of federal IPv6 profile released for comment

What are the IPv6 deadlines?

The next deadline is June 30, 2008. By then, all agencies should have completed their transition to IPv6 on their backbone networks, and all other agency networks should be able to interface with them.

Before then, deadlines set by the Office of Management and Budget were:
  • By June 30, 2006 agencies should have completed an inventory of IP-aware applications and peripherals that depend on the backbone network, along with an IPv6 transition impact analysis.
  • By February 28, 2006, agencies should have developed backbone transition plans.
  • By November 15, 2008, agencies had to identify who would lead their IPv6 transitions, and had to have completed an inventory of IP-aware devices in the backbone.
OMB details milestones to move to IPv6

Agencies, start your protocols!

Office of Management and Budget IPv6 directive

How is Microsoft handling Vista?

Microsoft made IPv6 the preferred network protocol in its latest operating system, Windows Vista, and committed to making all of its enterprise applications IPv6-ready out of the box.

To allow its customers to use IPv6 it included Teredo, a protocol that allows dual stack IPv6/IPv4 nodes to pass IPv6 traffic to each other by tunneling through Network Address Translation (NAT) devices and across non IPv6 enabled local networks.

NAT’s are used on the Internet as a way of artificially expanding the IPv4 address space by translating the address and port numbers of traffic to and from private network hosts that use IPv4 addresses.

However, some observers have noted that, although Teredo is designed to be used as the IPv6 provider of last resort, it’s typically used more often than recommended leaving computers open to attack from the outside since it can bypass regular security controls.

Workarounds include making security devices specifically aware of Teredo packets so they can inspect them, or blocking them completely and relying on native IPv6 traffic only.

IPv6 tunneling in Vista — a new area of concern

Many unknowns remain in move to IPv6

Previous << 1 2 3 >> Next

More news on related topics: IPv6, Web Strategies